1. Who we are
Nom Nom d.o.o. (hereinafter „Nom Nom”, „we”, „us” or similar) is a limited liability company duly incorporated and registered in Croatia, having its registered office at Savska cesta 41, Zagreb, 10000, Croatia, OIB 62444693223.
We collect and process several categories of personal data from you as a user of the website nomnom-app.com and nomnom-app.ro (hereinafter the „Website”) and the “Nom Nom” and “Nom Nom Waiter” mobile apps and the “Nom Nom Admin” web app, available at the admin.nomnom-app.com address ( the „Applications”), which, in compliance with European Union data protection law, makes us a data controller for such data.
We take your privacy extremely seriously and this notice of personal data processing describes our policies and practices regarding our collection and use of your personal data – such as what data we collect, why we collect it, and what we do with it, and sets forth your privacy rights.
2. How we collect your personal data
Personal Data may be collected or accessed in a number of ways, including:
- directly from you (from your form input data on the Website or Applications);
- observed by us when you navigate on our Website or Applications (IP, website navigation, orders, etc.).
2.1. Data provided by you directly
As a visitor, you do not have to submit any personal data in order to use the Website. However, in order to use our Applications, you will need to create a user account.
In addition, personal data that are specifically and voluntarily provided by visitors may be collected through the Website or Applications, as follows:
2.1.1. Create account
Our Website and Applications use forms by which you may create an account, that include fields such as first and last name, date of birth, gender, email address, physical address, country of residence, username and password. While creating an account, the user has the option to also upload a profile image.
We process this data under the legal basis of performing a contract with users, in order to enable you to easily log into our Website or Applications and place orders. This data will be kept for the duration of existence of the user account, until the user deletes / inactivates the account.
2.1.2. Administrative information
The administrator application, “Nom Nom Admin” uses forms for the creation and editing of all necessary entities needed for a restaurant to be functional inside our platform, including, but not limited to:
In addition to this, it may be possible for us to request, manually or by using automatic mechanisms and in the limit of the law, additional details to verify your position as an official representative of the company or companies that you created in our platform.
We process these data so that we give you permission to list your restaurant in our platform and so that we can prevent and detect possible fraud.
This data is stored for the duration of existence of your account. In case the removal of one of these entities is necessary, the user must contact Nom Nom, who will manually operate the removal, after validating the request, so that we can maintain data integrity and correctness for the remaining data.
2.1.3. Place an order
When you order through our Applications, we might also ask for your payment information, and any preferences (e.g. meal preferences) you have for your order.
We process this data under the legal basis of performing a contract with users, in order to:
- ensure orders are processed and delivered to you,
- communicate with you regarding orders, and
- take payment and give refunds.
In addition to this, our system will automatically store data regarding your order, its contents, the date it was placed, and the payment method used. This data is used so that we can offer you and restaurants a history of the orders.
This data is stored for the duration of existence of your account.
2.1.4. Finding available restaurants for you
For us to be able to present you with a list of available restaurants in your area, you will need to provide us with your address or location.
This information can be collected automatically and stored in log files.
2.1.5. Contact form or registration of complaints
Our Applications also give you the ability to send us a message via the contact form and to submit a complaint via the dedicated section. The data that you input in the contact form is processed based on our legitimate interest to respond to your inquiry and/or to keep a record of your complaint, request, and the like.
This data is stored for the duration of existence of your account.
In addition, we can use any of the data indicated at this section 2.1 under our legitimate interest, for providing you with the best appropriate content for the Website or Applications, emails and newsletters, to improve and promote our products and services and for administrative, fraud detection and legal purposes.
2.2. Use of the Website and Applications
The Website and Applications collect certain information automatically and store it in log files. The information may include internet protocol (IP) addresses, the region or general location where your computer or device is accessing the internet, browser type, operating system and other usage information about the use of the Website or Applications, including a history of the pages you view.
We use this information to help us design our site to better suit our users’ needs. We may also use your IP address to help diagnose problems with our server and to administer our Website and Applications, analyze trends, track visitor movements, and gather broad demographic information that assists us in identifying visitor preferences.
3. How we share information
We will disclose your personal data only for the purposes and to those third parties, as described below. We will take appropriate steps to ensure that your personal data is processed, secured, and transferred according to applicable law.
3.1. Disclosure to third parties
We will share only the strictly necessary parts of your personal data, on a need-to-know basis with the following categories of third parties:
- Partner Restaurants, to whom Nom Nom shares orders content, special instructions, to the extent necessary to process those orders
- Companies that provide products and services to us (processors), such as:
- media agencies, such as those organizing promotional campaigns and those administering the Website or Applications;
- website services: analytics, advertising;
- infrastructure agencies (other parties that handle the email newsletter, SMS marketing or other kinds of marketing, client support or sales activities in our name);
- information technology systems suppliers and support, including email archiving, telecommunication suppliers, backup and disaster recovery and cyber security services.
- companies involved in the operation of our Website or Applications, where they are not providing a service for us.
- other parties such as public authorities and institutions, accountants, auditors, lawyers and other outside professional advisors, where their activity requires such knowledge or where we are required by law to make such a disclosure.
We will also disclose your personal information to third parties:
- if you request or authorize so;
- to persons demonstrating legal authority to act on your behalf;
- where it is in our legitimate interests to do so to run, grow and develop our business:
- if we sell any business or assets related to the Website or Applications you are subscribing to, we may disclose your personal information to the prospective buyer of such business or assets, in order to ensure that the activity continues as a going concern;
- if Nom Nom or substantially all its assets are acquired by a third party, in which case personal information held by Nom Nom will automatically be one of the transferred assets;
- if we are under a duty to disclose or share your personal information in order to comply with any legal obligation, any lawful request from government officials and as may be required to meet national security or law enforcement requirements or prevent illegal activity;
- to respond to any claims, to protect our rights or the rights of a third party, to protect the safety of any person or to prevent any illegal activity; or
- to protect the rights, property or safety of Nom Nom, our employees, customers, suppliers or other persons.
Some of these recipients (including our affiliates) may use your data in countries which are outside of the European Economic Area. Please see Section 4 below for more detail on this aspect.
3.2. Restrictions on use of personal information by recipients
Save as expressly detailed above, we will never share, sell or rent any of your personal information to any third party without notifying you and, if applicable, obtaining your consent.
4. Transfers of information outside of the European Economic Area
The personal information may be processed by staff operating outside the EEA working for us, or third-party data processors for the purposes mentioned above.
- in the case of US based service providers, entering into European Commission approved standard contractual arrangements with them, or ensuring they have signed up to the EU-US Privacy Shield (see further https://www.privacyshield.gov/welcome), or
- in the case of service providers based in other countries outside the EEA, entering into European Commission approved standard contractual arrangements with them.
Further details on the steps we take to protect your personal information in these cases is available from us on request by contacting us (see section 8 below) at any time.
5. Your rights
As a data subject you have specific legal rights relating to the personal data we collect from you. Nom Nom will respect your individual rights and will deal with your concerns adequately.
- Right to withdraw consent: Where you have given consent for the processing of your personal data, you may withdraw your consent at any moment;
- Right to rectification: You may obtain from us rectification of personal data concerning you. We make reasonable efforts to keep personal data in our possession or control which are used on an ongoing basis, accurate, complete, current and relevant, based on the most recent information available to us. In appropriate cases, we provide self-service internet portals where users have the possibility to review and rectify their personal data. For instance, you can edit the first and last name, phone number, physical address and country of residence, gender, date of birth, email address and profile image associated with your account through the Settings menu of our Applications;
- Right to restriction: You may obtain from us restriction of processing of your personal data, if:
- you contest the accuracy of your personal data, for the period we need to verify the accuracy,
- the processing is unlawful, and you request the restriction of processing rather than erasure of your personal data,
- we do no longer need your personal data, but you require them for the establishment, exercise or defense of legal claims, or
- you object to the processing while we verify whether our legitimate grounds override yours.
- Right to access: You may ask from us information regarding personal data that we hold about you, including information as to which categories of personal data we have in our possession or control, what they are being used for, where we collected them, if not from you directly, and to whom they have been disclosed, if applicable. We will provide you with a copy of your personal data upon request and, you can download your data regarding your account and your orders from the Settings menu inside the Applications;
- Right to portability: As of May 25th 2018, you have the right to receive your personal data that you have provided to us, and, where technically feasible, request that we transmit your personal data (that you have provided to us) to another organization.These are rights you have if:
- we process your personal data by automated means,
- we base the processing of your personal data on your consent, or our processing of your personal data are necessary for the execution or performance of a contract to which you are a party,
- your personal data are provided to us by you, and
- the transmission of your personal data does not adversely affect the rights and the freedoms of other persons.
You have the right to receive your personal data in a structured, commonly used and machine-readable format.
Your right to receive your personal data must not adversely affect the rights and the freedoms of other persons. This may be the case if a transmission of your personal data to another organization also involves the transmission of the personal data of other (non-consenting) individuals.
Your right to have your personal data transmitted from us to another organization is a right you have if such transmission is technically feasible.
- Right to erasure: You have the right to request that we delete the personal data we process about you. We must comply with this request if we process your personal data, unless the data is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation that binds us;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; or
- for the establishment, exercise or defense of legal claims.
- Right to object: You may object – at any time – to the processing of your personal data due to your particular situation, provided that the processing is not based on your consent but on our legitimate interests or those of a third party. In this event we shall no longer process your personal data, unless we can demonstrate compelling legitimate grounds and an overriding interest for the processing, or for the establishment, exercise or defense of legal claims. If you object to the processing, please specify whether you also wish the erasure of your personal data, otherwise we will only restrict it.You may always object to the processing of your personal data for direct marketing that was based on our legitimate interest, regardless of any reason. If the marketing was based on your consent, you can withdraw consent.
- Right to lodge a complaint: You can lodge a complaint to the data protection supervisory authority:
Name: National Supervisory Authority for Processing of Personal Data Address: G-ral. Gheorghe Magheru Boulevard 28-30, Sector 1, postal code 010336, Bucharest, Romania Telephone: +40.318.059.211
Fax: +40.318.059.602 Email: firstname.lastname@example.org
- Time period: We will try to fulfill your request within 15 days. As of May 25th, 2018, the period is 30 days and it may be extended due to specific reasons relating to the specific legal right or the complexity of your request. In all cases, if this period is extended, we will inform you about the term of extension and the reasons that led to it.
- Restriction of access: In certain situations, we may not be able to give you access to all or some of your personal data due to statutory provisions. If we deny your request for access, we will inform you of the reason for the refusal.
- No identification: In some cases, we may not be able to look up your personal data due to the identifiers you provide in your request. In such cases, where we cannot identify you as a data subject, we are not able to comply with your request to execute your legal rights as described in this section, unless you provide additional information enabling your identification. We will inform you and give you the opportunity to provide such additional details.
- Exercise your legal rights: In order to exercise your legal rights, please contact us in writing (including electronically) at the contact details provided in section 8 below.
Nom Nom is committed to protecting personal information from loss, misuse, disclosure, alteration, unavailability, unauthorized access and destruction and takes all reasonable precautions to safeguard the confidentiality of personal information, including through use of appropriate technical measures. These measures include the use of encryption, passwords for access to our systems, use of anti-virus software and using a hosting service provider that respects all the requirements for data protection in effect and that takes all the possible technical measures to protect the security of data.
In the course of provision of your personal data to us, your personal information may be transferred over the internet. Although we make every effort to protect the personal information which you provide to us, the transmission of information between you and us over the internet is not completely secure. As such, we cannot guarantee the security of your personal information transmitted to us over the internet and that any such transmission is at your own risk. Once we have received your personal information, we will use strict procedures and security features to prevent unauthorized access to it.
8. Contact information
Please direct your questions regarding the subject matter of data protection and any requests in the exercise of your legal rights to the following contact details: email@example.com, Savska cesta 41, Zagreb, 10000, Croatia.
We will investigate and attempt to resolve any request or complaint regarding the use or disclosure of your personal information.
If you are not satisfied with our reply, you may also make a complaint to the National Supervisory Authority for Processing of Personal Data. You can find further information about the process at: http://dataprotection.ro/?page=procedura_de_solutionare_a_plangerilor.
9. Other provisions
This document was approved on April 1st, 2019 and will be in effect starting with this date
For any aspect regarding our platform, you can contact us at the following email address: firstname.lastname@example.org.